29. Managing operational risks Flashcards
What are the characteristics of desirable operational risk controls
- Focussed on results
- In place for measurable and non-measurable events
- Standardised for efficient communication
- High quality, to improve management
- Few rather than many
- Meaningful and appropriate
- Timely, to give sufficient warning
- Simple, so easily understood
What risks are associated with outsourcing
o Failure to deliver commitments
o Reduced control over processes and people
What considerations must you take before entering an outsourcing agreement
o Regulatory environment and status of 3rd party
o Financial standing of 3rd party
o Competency, business continuity plans and risk processes
o Legal agreement with 3rd party incl. right to terminate, and 3rd party’s right to sub-contract
o How 3rd party will be monitored
List examples of external events
o Loss of IT / telephone capacity
o Loss of people and skills
o Bad PR / negative publicity
o Disrupted supply chains
o Fire/flooding/high winds
o Protest from pressure groups (e.g. animal rights activists)
o Terrorist damage
Explain how business continuity and crisis management can be used to manage risk
- BC defn: safeguarding business’s reputation, brand and other value-creating activities
- Develop BCP and test it regularly
o Reassures stakeholders that business interruption risks managed - E.g.
o Offsite back-ups of data in case hard drive fails
o Renting redundant office block and computer system ready for activation - CMP
o Ensures clear and organised responses in event of significant incident
o CM Group takes control of issue and co-ordinates action - Could take advantage of unexpected gains or reduce losses in event of critical incident
- Consequential loss insurance for compensation for loss of profits due to business disruption
How would you manage reputational risks
o Stay aware of regulatory and legal changes and likely impact
o Influence changes through lobbying
How would you manage technology risk?
- Keep systems up-to-date – balance functionality with costs
- Routine maintenance – esp for IT solutions developed in-house
- Thorough testing for robustness and compatibility when introducing new IT systems
- Quick response to IT helpdesks to deal with minor IT issues
- Train staff – e.g. phishin
- Restric employees’ social media usage or devises that might circumvent IT security e.g. usb drives
- Implement and test security software and routines
o e.g. firewalls, backups and regular password changes
o To prevent cyber attacks and ensure data rapidly recovered in event of loss
In what ways to people introduce risk to organisation
- Employment
- Adverse selection
- Moral hazard
- Agency risk
- Bias
Suggest ways to manage risks associated with employment
- Recruitment processes
o Cost effective recruitment of right people
o Enforceable employment contracts - Competency management processes
o Training requirements – incl. induction, CPD and professional qualifications
o Risk training enhances understanding of risk management - Appraisals and performance management processes
o Talent management – promotion and transfer
o Retaining right employees
o Identify poor performers, support and disciplinary action
o NED must regularly appraise skills, knowledge and expertise and undertake professional development where necessary - Relationship management
o Employment-related collective bodies, e.g., unions
Suggest ways to manage risks associated with adverse selection
- Underwriting
- Product design
- Pricing
Suggest ways to manage risks associated with moral hazard
- Make consequences unattractive – e.g. make it an offence to make fraudulent claim
- Prevention – e.g. ensure insurable interest
Suggest ways to manage agency risk
- Use incentivising performance and remuneration structure
Suggest ways to manage risks associated with bias
- Checks and balances built into system
- Assessments must be checked by an independent and competent checker
- Consider introducing an “optimism bias” into appraisal of capital projects
- Education on unintentional bias
Suggest ways to manage process risk / change management
- Pilot studies
- Precise definition of requirements of new solution to best meet needs of whole org
- Design systems that can be easily maintained, enhanced and upgraded
- Carefully deploy new systems by educating users
- Must stress test new system in isolation and within larger org
- Must review new processes regularly for effectiveness
Suggest ways to manage model risk
- Ensure robust process around choice of model
- Document processes for model and assumptions
- Clear audit trails and change-management routines
- Test model thoroughly before use
- Maintain and develop model over time, with regular reviews
- Ensure staff adequately trained and clear accountabilities
- Understand key drivers / assumptions in model …
… and subject model to tests of parameter uncertainty - Use models only for intended purpose
- Appreciate limitations of model
- Avoid overly complex models (principle of parsimony)
- Ensure workings and results are easy to communicate and appreciate …
… and capable of independent verification for reasonableness